Online Security Policies

Principal has a structured Information Security Program that safeguards information against unauthorized or accidental modification, disclosure, fraud, and destruction.

• Security policies and standards are documented and available to our employees.
• Collection of personal information is limited to business need and protected based on its sensitivity.
• Employees are required to complete privacy, security, ethics, and compliance training.
• Risk management processes and procedures are documented and communicated.

How to submit a security issue

Contact us to submit a security issue. We may contact you with a request for more information. 

We also have BC and DR programs. Critical business functions, processes, and supporting applications have been identified and are regularly reviewed. Appropriate response and recovery plans have been developed. Testing is completed annually.

The basis for the program is professional best practices established by industry organizations such as Disaster Recovery Institute International, Business Continuity Institute, and International Organization for Standardization . The technology recovery plan leverages geographically distant data centers, while the incident management process facilitates response and recovery activities by appropriately implementing plans if a disruptive event occurs.

All Windows servers and workstations have antivirus software installed, and updates to definitions are applied frequently. Our information technology managers review recurring reports to ensure compliance levels are met. All alerts are reviewed by staff in the cyber defense operations center.

We monitor for significant new vulnerabilities and attacks that have the potential to affect our systems and apply patches and mitigations as appropriate. We have a vulnerability management practice that regularly tests our systems to ensure they are not open to attack.

We have processes to track, manage, and resolve all incidents. If a data security incident is discovered, a response plan is promptly initiated and executed. We adhere to all applicable state and federal disclosure laws.

Our Network Security and Privacy Liability cybersecurity insurance policy includes any network security or privacy event discovered during the policy period affecting a majority-owned member company of Principal and events originating from our third-party service providers.

Principal is a member of the Financial Services–Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is an industry forum for collaboration on critical security threats facing the global financial services industry.

Principal has a defined Supplier Management Program, which includes processes for vetting, selecting, and monitoring third-party service providers. Third-party security profiles are completed when certain types of data are provided to and/or stored at a third-party location. Additional risk assessments may be completed based on the nature of the third-party service or solution provided. For example, a separate risk assessment is completed if a third party is granted access to our networks, systems, or data.

• Call centers have procedures in place to help validate the identity of callers.
• Regular training on how to detect fraudulent activities is conducted with our employees.
• Strict standards that limit access to data are followed.
• Regular testing of our security controls is performed.

If you have questions or comments regarding any of our security policies, procedures, or practices, please contact us.

• Choose passwords that are not duplicates of other personal information (e.g., Social Security number, birth date, etc.).
• Choose a password that is easy for you to remember, but difficult for others to guess. Do not use information about yourself that others can easily find out.
• When possible, use a passphrase instead of a password, making it as long as you can without using any common phrases or quotes and include characters, numbers, and uppercase and lowercase letters.
• Using a mobile device? We highly recommend setting a device passcode/password of at least six characters or using biometric features on your device.

• Never share your PINs, usernames, or passwords with anyone. Be cautious of emails or individuals who ask for this information. We will never ask for your personal password.
• Identify one secure location in your home to store all your financial records.
• Do not use the same passwords across web sites, especially those sites that store and process financial information. If other sites are not secure, your password could be compromised.
• Certain devices are eligible to enable biometric sign-on; an example is fingerprints. Use caution if you store multiple biometrics on your device, such as fingerprints from a spouse/partner or child, as those users could access mobile apps on your phone. This includes the Principal mobile app when fingerprint is enabled.
• Review and balance your account statements on a regular basis. Watch for any transactions showing unfamiliar payees and amounts you do not recognize.

Your personal computer

Your home computer is likely where you go online to check your accounts with us and do business with other companies. That’s why it’s important to protect it from viruses and spyware with antivirus software and frequently applied updates. Most major software companies regularly release updates or patches to their operating systems to prevent security problems. It’s a good idea to keep your system and applications updated with the latest patches and releases.

Your mobile devices

Don’t forget about your smartphone and tablet—it’s just as important as a personal computer.

Always activate a PIN or lock function for your device. This is the simplest and most important thing you can do to ensure security on your mobile device, especially if it’s lost or stolen.

Use caution when downloading apps. Avoid installing applications outside of the Apple or Google app stores. Some apps can contain malware designed to steal your personal and financial information. Before you install the app, review permissions to decide if you’re comfortable granting the level of access requested by that app. It’s also a good idea to read other user reviews and comments to see if anything suspicious has been reported about the app.

Identity theft and identity fraud includes all types of crime where someone gets and uses another person’s personal data in a way that involves fraud or deception, usually for economic gain.

For more on how to protect your identity, read these tips from the Federal Trade Commission and the IRS.

Using a wireless network at home is convenient but leaving it unsecured is an opportunity for cyber criminals to access and discover sensitive information. Make sure you use a unique passcode, so your family is the only one using the network. You can also contact your wireless software vendor about stronger encryption.

Read more from the Federal Trade Commission about online security. 

After you sign into a website, remember to sign out. It's an easy step you can take to ensure your information doesn't end up in the wrong hands.

We recommend checking your credit report regularly with each of the three major credit bureaus. You're entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order online from annualcreditreport.com, the only authorized website for free credit reports, or call +1-877-322-8228. You will need to provide your name, address, Social Security number, and date of birth to verify your identity.

A credit report contains information on where you live, how you pay your bills, and whether you've been sued, arrested, or filed for bankruptcy. Nationwide consumer-reporting companies sell the information in your report to creditors, insurers, employers, and other businesses that use it to evaluate your credit.